How use Filtering Input in PHP

User input cannot be trusted. Malicious user can always supply the application with unexpected data. As such malformed input data can cause undesired application actions, it is important to filter all user input and validate that it matches the intended patterns.

In the context of PHP applications, typical user input are URL parameters, HTTP post data, and cookie values. PHP makes these user input values available for the application via the following global arrays:

• $_GET – data from get requests

• $_POST – post request data

• $_COOKIE – cookie information

• $_FILES – uploaded file data

• $_SERVER – server data

• $_ENV – environment variables

• $_REQUEST – combination of GET, POST, and COOKIE

If the feature Register Global is turned on, PHP also creates global variables for the con-tents of the above arrays. It is strongly recommended to turn this feature off, however if it is turned on, the values of these global input variables must be treated as user input too. See section 2.3 for more information about Register Global.

Depending on the scenario, it might be necessary to consider data from sources like files or databases as user input too. This might for example be necessary if the application fetches data from third party databases.

In order to ensure that all user input is filtered before it is used in the application; it is advisable to adhere to the following guidelines:

• Use variable names that make clear whether the contained user input is already vali-dated or not. For example store the filtered data in variables with the prefix “clean_”.

• Make sure that the application exclusively use these clean variables for accessing user input. Especially input arrays like $_GET should never be used as input for any function other than validation functions.

• Always initialize all clean variables. Otherwise attackers might be able to write their own values into these variables if the Register Globals feature is turned on. That way is would be possible to bypass any filtering mechanisms.

Moreover, the global array $_REQUEST should not be used for accessing user input. It hides the source of its contents. Scripts accessing data from $_REQUEST cannot determine whether this data originates for example from server environment variables, GET requests or POST requests. This knowledge is sometimes necessary in order to determine what kind of filtering is necessary.

Useful tools for validating user input are PHP’s cast operators. They convert the data type of variable values. As all user input to PHP scripts is supplied as string, these operators can be used for converting input parameters to their destination type. The following cast operators are the most useful with respect to filtering user input:

• (int), (integer) – cast to integer

• (bool), (boolean) – cast to boolean

• (float), (double), (real) – cast to float

• (string) – cast to string

Other useful functions are the character type functions. They check for example whether a string consists of only alphanumeric characters. PHP provides various of these functions that check for different character classes. The following list contains especially useful examples with respect to input filtering:

• ctype_alnum()

• ctype_alpha()

• ctype_digit()

More specialized methods for validating user input are presented in the following sections of this paper.

Recommendations:

• Do not trust user input. Validate it carefully.

• Access user input only via the global arrays $_GET, $_POST, etc.

• Use a dedicated naming convention for variables that contain the filtered input.

• Make sure only these variables are used for accessing user input throughout the application. Filtering functions should be the only exception.